In this week's Cyber Weekly:
Thanks to all 4984 subscribers. It really takes a community to fight against ransomware. By sharing and commenting on these newsletters, we can reach more people and help others from becoming a statistic. Share your comments below or simply like the post.
Instagram, owned by Meta (previously called Facebook), was fined for its treatment of children’s data on photo-sharing app. Ireland’ Data Protection Commission decided on September 2 to impose one of the largest fines under the General Data Protection Regulation (GDPR) to enforce how children’s data is being collected and shared by companies. California passed a similar law last week and Britain passed a similar law last year.
The particular issue in the Instagram case is that the platform would automatically set teenagers’ profiles to public – revealing their emails and phone numbers.
“Anyone under 18 automatically has their account set to private when they join Instagram, so only people they know can see what they post, and adults can’t message teens who don’t follow them,” Meta said in an emailed statement.
This is the third time Meta is fined under GDPR. (NewYorkTimes)
My thoughts: Data privacy laws need to be respected. Companies will no longer be given a "break" when they fail to protect individual's data. If you are not aware of data privacy laws which exist in your state, province, or country, they definitely exist. It's probably best to believe that if your data privacy laws involving personal information are antiquated, there is probably a reform coming soon. It’s happening in Quebec at the end of this month.
At the end of July, Samsung Electronics America was breached as a result of a third party gaining unauthorized access to their systems. In August, they realized user information was also stolen. However, the electronics company that sells tablets, smartphones and debit cards, only announced the cybersecurity incident last Friday.
“The company says the breach “may have affected” names, contact information, demographics, dates of birth, and product registration information, but not Social Security numbers or credit/debit card numbers.”
Samsung is emailing the users who were directly affected by the incident. (howtogeek)
My thoughts: Samsung waited a month before sharing breach details with the public. This is indicative of how lengthy a forensics analysis can take to conduct, after a data breach. It also brings up the question “when is the right time to tell end-users about a cyber attack?” Should it be right away or after the analysis? In my opinion, forensics can take months. Therefore, companies should inform users as soon as it happens, like LastPass did.
Yesterday, the LA Unified School District in California experienced a cyber attack. Law enforcement agencies are investigating the incident while schools are open today. Unfortunately, the attack disrupted the website, computer systems, applications and email access. The district uses Google Drive to save work and students and teachers are concerned their work won’t be recovered.
“The White House brought together the Department of Education, the Federal Bureau of Investigation (FBI) and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to provide rapid, incident response support to Los Angeles Unified, building on the immediate support by local law enforcement agencies,” the district announcement said. (LATimes)
My thoughts: LA School District is one of many education entities that were attacked this year. I still wonder how cyber security is not a priority for some industries. By some industries, I mean government, healthcare and education. A war doesn’t need bloodshed to cause havoc. It’s already starting online.
Earlier this year, Trojan horse programs were sent to students and teachers attempting to steal data. The Chinese aviation university conducted an investigation that revealed which departments of the US’ National Security Agency (NSA) were behind the trojan emails.
“By extracting many trojans samples from internet terminals of Northwestern Polytechnical University, under the support of European and South Asian partners, the technical team initially identified that the cyberattack to the university was conducted by the Tailored Access Operations (TAO) (Code S32) under the Data Reconnaissance Bureau (Code S3) of the Information Department (Code S) of US' NSA.
The investigation also found that in recent years, TAO has conducted tens of thousands malicious attacks against targets in China, controlling large numbers of network devices (web server, internet terminals, network switches, telephone switches, routers, firewalls, and etc.) to steal a high value of more than 140 GB of data.”
The investigation revealed 13 people from the US who were directly involved in the attack. There were 60 contracts and 170 electronic doucments that the NSA signed with American telecom operators through a cover company to build an environment for cyberattacks.
"What I want to stress it that, cyberspace security is a common problem faced by all countries worldwide. The US, with the world's most powerful cyber technology, should refrain from using such advantages to steal secrets from other countries, and should instead participate in global cyberspace governance in a responsible manner, and play a constructive role in maintaining cybersecurity,” Chinese Foreign Ministry spokesperson Mao Ning said. (Globaltimes)
My thoughts: I highly recommend reading the entire story and all the evidence they gathered against the NSA. My thoughts about this story are simple. How can we protect our nation from cyber attacks when we’re conducting them ourselves. It’s a vicious circle. And it makes the US look bad.
Access monthly conversations with IT & Tech Leaders about the hottest cyber security topics in the industry.